Uninstall selfsign CA on upgrade

This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
2025-02-25 18:55:28 -06:00 · 2013-03-26 18:06:50 +01:00
parent fe00788bb4
commit 4e3c1051d0
4 changed files with 43 additions and 8 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -709,11 +709,7 @@ class DsInstance(service.Service):

        serverid = self.restore_state("serverid")
        if not serverid is None:
-            # drop the trailing / off the config_dirname so the directory
-            # will match what is in certmonger
-            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
-            dsdb.untrack_server_cert(self.nickname)
+            self.stop_tracking_certificates(serverid)
            erase_ds_instance_data(serverid)

        # At one time we removed this user on uninstall. That can potentially
@@ -735,6 +731,16 @@ class DsInstance(service.Service):
            except Exception, e:
                root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)

+    def stop_tracking_certificates(self, serverid=None):
+        if serverid is None:
+            serverid = self.get_state("serverid")
+        if not serverid is None:
+            # drop the trailing / off the config_dirname so the directory
+            # will match what is in certmonger
+            dirname = config_dirname(serverid)[:-1]
+            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
+            dsdb.untrack_server_cert(self.nickname)
+
    # we could probably move this function into the service.Service
    # class - it's very generic - all we need is a way to get an
    # instance of a particular Service
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -376,8 +376,7 @@ class HTTPInstance(service.Service):
        if not running is None:
            self.stop()

-        db = certs.CertDB(api.env.realm)
-        db.untrack_server_cert(self.cert_nickname)
+        self.stop_tracking_certificates()
        if not enabled is None and not enabled:
            self.disable()

@@ -404,3 +403,7 @@ class HTTPInstance(service.Service):

        if not running is None and running:
            self.start()
+
+    def stop_tracking_certificates(self):
+        db = certs.CertDB(api.env.realm)
+        db.untrack_server_cert(self.cert_nickname)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -292,6 +292,9 @@ class Service(object):
    def restore_state(self, key):
        return self.sstore.restore_state(self.service_name, key)

+    def get_state(self, key):
+        return self.sstore.get_state(self.service_name, key)
+
    def print_msg(self, message):
        print_msg(message, self.output_fd)